Upload
others
View
13
Download
0
Embed Size (px)
Citation preview
InjectingSecurityControls
inSoftwareApplications
KatyAnton@KatyAnton
March14,2019
Aboutme
• Softwaredevelopmentbackground
• PrincipalApplicationSecurityConsultant-Veracode
• OWASPBristolChapterLeader
• Projectco-leaderforOWASPTop10ProactiveControls
(@OWASPControls)
Injection
CWEsinInjectionCategory
CWE-93:CRLFInjection
CWE-74Injection
CWE-943:ImproperNeutr.ofSpecialElinQuery
CWE-94:CodeInjection
CWE-91:XMLInjection
CWE-78:XSS
CWE-77:CommmandInjection
CWE-89:SQLInjection
CWE-90:LDAPInjection
Source:NVD
CWE-78:OSCmdInj
CWE-78:ArgumentInj
DecomposetheInjection
Get / Post DataFile Uploads
HTTP HeadersDatabase Data
Config files
SQLHTML XMLBash ScriptLDAP Query
SQL ParserHTML ParserXML Parser
ShellLDAP Parser
Input Output Parser
DatainterpretedasCode
ExtractSecurityControls
Input Output Parser
Vulnerability Encode Output Parameterize Validate InputSQL Injection R R XSS R R XML Injection(XPATH Injection) R R
OS Cmd Injection R R R LDAP Injection R R
Primary Controls Defence in depth
SensitiveDateExposure
DataatRestandinTransit
Vulnerabilities
Data Types Encryption Hashing
DataatRest:
RequirestheinitialvalueE.q:creditcard
R
DataatRest:
Doesn’trequiretheinitialvalueE.q:userpasswords
R
DatainTransit R
HowNottoDoit!
DataatRest:Vulnerabilities
encryption_key = PBKF2(password, salt, iterations, key_length);
In the same folder - 2 file:
The content of password.txt:
SecurityControls:Encryption
CryptographicStorage
StrongEncryptionAlgorithm:
• AES
KeyManagement
• Storeunencryptedkeysawayfromtheencrypteddata.
• ProtectkeysinaKeyVault(HashicorpVault/AmazonKMS)
• Keepawayfromhomegrownkeymanagementsolutions.
• Defineakeylifecycle.
• Buildsupportforchangingalgorithmsandkeyswhenneeded
• Documentproceduresformanagingkeysthroughthelifecycle
Source:https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet
SecurityControls:PasswordStorage
UseaStrongAlgorithm:
•PBKDF2
•bcrypt
• scrypt
•Argon2i
• Java
•PHP-password_hash()supportsArgon2ifromversion7.2
Source:https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
SecurityControls:DatainTransit
TLSEverywhere!
•Client—>Applicationserver
•Server—>Non-browsercomponents
IntrusionDetection
“Ifapentesterisabletogetintoasystemwithoutbeingdetected,thenthereisinsufficientloggingandmonitoringinplace.“
SecurityControls
SecurityLogging:
Thesecuritycontrolthatdeveloperscanusetologsecurity
informationduringtheruntimeoperationofanapplication.
The6BestDetectionPointTypes
Goodattackidentifiers:
1. Authorisationfailures
2. Authenticationfailures
3. Client-sideinputvalidationbypass
4. Whitelistinputvalidationfailures
5. Obviouscodeinjectionattack
6. Highrateoffunctionuse
Source:https://www.owasp.org/index.php/AppSensor_DetectionPoints
IntrusionDetectionPointsExamples
RequestExceptions
• ApplicationreceivesGETwhenexpectingPOST
• AdditionalformorURLparameterssubmittedwithrequest
AuthenticationExceptions
• TheusersubmitsaPOSTrequestwhichonlycontainstheusernamevariable.The
passwordvariablehasbeenremoved.
• Additionalvariablesreceivedduringanauthenticationrequest(like‘admin=true’')
InputExceptions
• Inputvalidationfailureonserverdespiteclientsidevalidation
• Inputvalidationfailureonserversideonnon-usereditableparameters(hidden
fields,checkboxes,radiobuttons,etc)
Source: https://www.owasp.org/index.php/AppSensor_DetectionPoints
VulnerableComponents
UsingSoftwareComponentswithKnownVulnerabilities
RootCause
•Difficulttounderstand•Easytobreak•Difficulttotest•Difficulttoupgrade• Increasetechnicaldebt
ComponentsExamples
Exampleofexternalcomponents:
• Opensourcelibraries-forexample:alogginglibrary
• APIs-forexample:vendorAPIs
• Libraries/packagesbyanotherteamwithinsamecompany
Example1:ImplementLoggingLibrary
• Third-party-provideslogginglevels:• FATAL,ERROR,WARN,INFO,DEBUG.
• Weneedonly:
• DEBUG,WARN,INFO.
SimpleWrapper
Helpsto:
•Exposeonlythefunctionalityrequired.•Hideunwantedbehaviour.
•Reducetheattacksurfacearea.•Updateorreplacelibraries.•Reducethetechnicaldebt.
Example2:Implementapaymentgateway
Scenario:
• VendorAPIs-likepaymentgateways
• Canhavemorethanpaymentgatewayoneinapplication
• Requiretobeinter-changed
AdapterDesignPattern
• Convertsfromprovidedinterfacetotherequired
interface.
• AsingleAdapterinterfacecanworkwithmany
Adaptees.
• Easytomaintain.
Your Code
Third-party code
Adapter
Example3:ImplementaSingleSign-On
• Libraries/packagescreatedbyanotherteaminthecompany
• Re-usedbymultipleapplications
• Commonpracticeinlargecompanies
FaçadeDesignPattern
•Simplifiestheinteraction
withacomplexsub-system
•Makeeasiertouseapoorly
designedAPI
• Itcanhideawaythedetails
fromtheclient.
•Reducesdependenciesontheoutsidecode.
SecureSoftwareStartsfromDesign!
WrapperTo expose only required functionality and hide unwanted behaviour.
Façade PatternTo simplify the interaction with a complex sub-system.
Adapter PatternTo convert from the required interface to provided interface
Your Code
Third-party code
Adapter
Howoften?
RickRescorla
• UnitedStatesArmyofficeofBritishorigin
• BorninHayle,Cornwall
• DirectorofSecurityforMorganStanleyin
WTC
SecurityControlsRecap
SecurityControlsRecap
Application Server
Operating System
Software Application Param Data
Param Queries
Key Management
SecureDate
Encode output
TLS
Validate Input
TLS
TLS
LogExceptions
Encode output
Mod
Mod
Encaps
Mod
Mod
Mod
Library
Mod
Mod
FinalTakeaways
FinalTakeaways
CWEsFocus on Security Controls
which prevent
FinalTakeaways
VerifyRegularly CWEsFocus on Security Controls
Thankyouverymuch
@KatyAnton